From the author of

Some of the following material was abstracted from an online course being
produced for Seattle Pacific
University. Courses are a combination of text, rigorous offline practical
exercises and online discussion, chat, and media.

Introduction

Like building architects, artists, and other creators of environments, security
architects would prefer blank canvases. The lure of the latest technology, especially
that which promises the tightest security, beckons. It would be best if we could
pick the products and methodologies that would serve the security goals of our
paranoid fantasies, but it would be naïve to do so. Few, if any, organizations
have the financial resources to offer this—or, more importantly, the time
and effort required to rip out existing systems and put devices in place for
our pleasure. Our security design, in most cases, must spring forth from the
existing systems and applications. We can replace, upgrade, insert, and migrate,
but we cannot ignore the current status quo. In fact, our design can reap great
benefits from our knowledge of existing systems. We can move to protect the
most sensitive systems or we can protect internal weaknesses by securing the
perimeters, but first we have to know what they are. Additionally, we cannot
ignore planned upgrades and rollouts. Politics, commitments, and financial impediments
to stopping all but the worst assaults on secure practices will force you to
factor these systems into your security design.

As a Windows professional, you have already invested time in studying the assessment
and mapping of current information systems, technologies, and organizational
structures. Now it's time to learn how to take that information and begin to
place it within the security framework. Specifically, you want to be able to
zero in on the strengths and weaknesses inherent in these existing units. To
do so, you must have an overall plan or security policy to follow. Needless
to say, many other people in the organization join you in taking security seriously,
including the management team.